Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
23.4.24  APT  The Hacker News

The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg.

The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8).

It was addressed by Microsoft as part of updates released in October 2022, with the U.S. National Security Agency (NSA) credited for reporting the flaw at the time.

According to new findings from the tech giant's threat intelligence team, APT28 – also called Fancy Bear and Forest Blizzard (formerly Strontium) – weaponized the bug in attacks targeting Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.

"Forest Blizzard has used the tool [...] to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions," the company said.

"While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks."

Forest Blizzard is assessed to be affiliated with Unit 26165 of the Russian Federation's military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Active for nearly 15 years, the Kremlin-backed hacking group's activities are predominantly geared towards intelligence collection in support of Russian government foreign policy initiatives.

In recent months, APT28 hackers have also abused a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS score: 7.8), indicating their ability to swiftly adopt public exploits into their tradecraft.

"Forest Blizzard's objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information," Microsoft said. "GooseEgg is typically deployed with a batch script."

The GooseEgg binary supports commands to trigger the exploit and launch either a provided dynamic-link library (DLL) or an executable with elevated permissions. It also verifies if the exploit has been successfully activated using the whoami command.

The disclosure comes as IBM X-Force revealed new phishing attacks orchestrated by the Gamaredon actor (aka Aqua Blizzard, Hive0051, and UAC-0010) that deliver new iterations of the GammaLoad malware -

GammaLoad.VBS, which is a VBS-based backdoor initiating the infection chain
GammaStager, which is used to download and execute a series of Base64-encoded VBS payloads
GammaLoadPlus, which is used to run .EXE payloads
GammaInstall, which serves as the loader for a known PowerShell backdoor referred to as GammaSteel
GammaLoad.PS, a PowerShell implementation of GammaLoad
GammaLoadLight.PS, a PowerShell variant that contains code to spread the spread itself to connected USB devices
GammaInfo, a PowerShell-based enumeration script collecting various information from the host
GammaSteel, a PowerShell-based malware to exfiltrate files from a victim based on an extension allowlist
"Hive0051 rotates infrastructure through synchronized DNS fluxing across multiple channels including Telegram, Telegraph and Filetransfer.io," IBM X-Force researchers said earlier this month, stating it "points to a potential elevation in actor resources and capability devoted to ongoing operations."

"It is highly likely Hive0051's consistent fielding of new tools, capabilities and methods for delivery facilitate an accelerated operations tempo."